- From: Frederick Hirsch <frederick.hirsch@nokia.com>
- Date: Thu, 8 Jan 2009 12:51:10 -0500
- To: public-webapps <public-webapps@w3.org>
- Cc: Frederick Hirsch <frederick.hirsch@nokia.com>, XMLSec WG Public List <public-xmlsec@w3.org>
I would like to raise an issue related to Widget Requirement R46 which specifies DSA Signature [1] and the Widgets 1.0 Digital Signature editors draft [2] that requires DSA-SHA256 since this may not be a good algorithm choice. One concern is availability of implementations, a question that was raised on today's Web Applications teleconference. I have a comment below from Brian LaMacchia, a member of the XML Security WG, that notes the issue. Much thanks Brian for noting this issue and expressing it clearly. regards, Frederick Frederick Hirsch Nokia [1] http://dev.w3.org/2006/waf/widgets-reqs/#r46.- [2] http://dev.w3.org/2006/waf/widgets-digsig/#digital Begin forwarded message: > From: "ext Brian LaMacchia" <bal@exchange.microsoft.com> > Date: January 8, 2009 12:23:09 PM EST > To: Frederick Hirsch <frederick.hirsch@nokia.com> > Subject: RE: DSA-SHA-256? > > No, my comment (I think) was that I was quite surprised by the > Widget folks choosing DSA-SHA256 as the mandatory-to-implement > signature alg, because (a) it's not a standard yet (until FIPS 186-3 > comes out), (b) there are no widely-deployed implementations today, > and (c) I don't see any other standard org going in that direction. > Everyone is moving to ECDSA-SHA256 (if anything) -- that's what the > US Government is moving towards with the Suite B set of algorithms, > that's what we're moving to in 1.1, etc. > > SHA-1 is dying, so Widget clearly needs to use at least SHA-256. > But I would have expected them to go for ECDSA-SHA256 or (perhaps) > RSA-SHA256, but for small devices like cellphones ECDSA-SHA256 would > make more sense. > > Hope that helps, > > --bal >> >
Received on Thursday, 8 January 2009 17:51:52 UTC